Phishing Archives

Dell Data Breach: 49M Customer Records Exposed

Posted on May 15, 2024May 15, 2024 by Srishti Chaubey

In a data breach that has caused anxiety about security and privacy, Dell, a technology hardware giant, has admitted to its occurrence having affected 49 million customer records. The unsecured API linked to a partner portal allowed hackers to swipe a huge amount of information about customers from Dell’s database.

Dell Data Breach Customer Records: Source Daily Dark Web — **Dell customer data on Breach Forums**
*Source: Daily Dark Web*

Methodology of the Breach

The hacker, known as Menelik, shared his methodology with TechCrunch .

“Believe me or not, I kept doing this for nearly 3 weeks and Dell did not notice anything. Nearly 50 Million requests…After I thought I got enough data, I sent multiple emails to Dell and notified the vulnerability. It took them nearly a week to patch it all up,” Menelik said.

Dell on the other hand, responded with “Let’s keep in mind, this threat actor is a criminal and we have notified law enforcement.”

Exploiting Partner Accounts: The threat actor created multiple “partner” firms known by different names for multiple accounts thereby leading in access to sensitive customer records.
Scraping Customer Data: They stole huge amounts of client data directly from Dell’s servers including personal particulars and purchase information.
Persistence and Volume: For nearly three weeks, the perpetrator launched an unyielding onslaught of appeals that led to almost 50 million records.
Reporting: They emailed Dell on April 12th and 14th to report the bug to Dell security team

Dell Data Breach Customer Records: Email to Dell from Menelik — **Email sent to Dell about partner portal flaw**
*Source: Menelik*

“Prior to receiving the threat actor’s email, Dell was already aware of and investigating the incident, implementing our response procedures and taking containment steps. We have also engaged a third-party forensics firm to investigate.”

Stolen Data Details

The exposed data has customer order data, including warranty information, service tags, names, locations, customer numbers, and order numbers.

The hacker, Menelik says the stolen customer records include the following hardware breakdown:

Monitors: 22,406,133
Alienware Notebooks: 447,315
Chromebooks: 198,713
Inspiron Notebooks: 11,257,567
Inspiron Desktops: 1,731,767
Latitude Laptops: 4,130,510
Optiplex: 5,177,626
Poweredge: 783,575
Precision Desktops: 798,018
Precision Notebooks: 486,244
Vostro Notebooks: 148,087
Vostro Desktops: 37,427
Xps Notebooks: 1,045,302
XPS/Alienware desktops: 399,695

Mitigation Efforts

Incident response protocols were deployed by Dell, containment strategies were employed, and external forensic experts were contracted to investigate and fix vulnerabilities.

Conclusion

Dell has advised customers to remain vigilant at all times by reporting any suspicious activities associated with their accounts or purchases as soon as possible.

The 49 million customer purchase data between 2017-2024 looks like the perfect phishing bait. Anyone posing as dell representative can trick users into clicking links and being set up for credential theft.

We need to prevent a phishing incident like those that rocked Okta, Dropbox and Lastpass. It becomes imperative to fortify your organization with robust authentication methods. Embracing passwordless authentication could be precisely the solution needed. After all, if you don’t possess traditional credentials, they can’t be stolen, can they?

Cisco VPNs Suffer Brute Force Attacks : Here’s Your Shield!

Posted on April 18, 2024June 25, 2024 by Srishti Chaubey

Cisco recently issued a warning about large-scale brute-force attacks targeting VPN and SSH services on Cisco and other devices worldwide. These attacks pose significant risks to enterprise security, necessitating immediate action.

Hacker can login to VPN with stolen credentials

Cisco Warning and Compromised Services

Cisco Talos reports a surge in brute force attacks since March 18, 2024, targeting VPN services. These assaults exploit vulnerabilities in traditional password-based authentication, compromising network integrity. The known affected services are following:

Cisco Secure Firewall VPN
Checkpoint VPN
Fortinet VPN
SonicWall VPN
RD Web Services
Miktrotik
Draytek
Ubiquiti

History: Not so Private Virtual Private Networks

If you are here reading this blog, you know the drill. Maybe a password is slipped in code, spoofed, phished, whaled, 2FA or MFA is breached, or even a vendor is breached, and your organization and user information lies in the hands of a threat actor. According to an HBR Report “The FBI regards a cybersecurity breach at every organization—including yours—as a matter not of ‘if,’ or even ‘when,’ but ‘how often.'”

Most often then not, these threat actors will siege your assets, ask for ransom and cause a lot of trouble. Two out of Three organizations, without a regard of size, have faced ransomware in 2023. Beyond the cost of expenses, including, potentially, the ransom itself, downtime averages $365,000 an hour in revenue loss. When you consider that the average recovery time is three weeks, it becomes clear how devastating these attacks can be.

In our previous blog we have discussed VPN breaches in detail. Anyhow, here’s some compact data for you.

Affected Entity	Root Cause	Impact
Avast Antivirus	Stolen credentials	Adversaries modified the CCleaner distributed by Avast .
Lockheed Martin	CVE-2011-0609	Critical data related to the defence contracts leaked.
Pulse Secure	CVE-2019-11510	1000 enterprises are at risk of ransomware attacks.
Ukraine Power grid	Malware	Power grid taken offline leading to no electricity for thousands.

List of the most serious VPN attacks due to stolen credentials

Brute Force Attacks

Brute force attacks involve systematically trying multiple username-password combinations until the correct one is found. Attackers leverage proxies like TOR, VPN Gate, IPIDEA Proxy etc to conceal their origins, intensifying the challenge of detection.Password spray attacks, on the other hand, target numerous accounts with commonly used passwords, increasing the likelihood of success.

Your Knight in Passwordless Armour – PureAuth

In light of escalating threats, enterprises must prioritise the adoption of passwordless VPN solutions. Embracing innovative authentication mechanisms ensures a resilient defence against evolving cyber threats.

Passwordless Authentication in popular VPN by PureAuth — VPNs you can make Passwordless

Transitioning to passwordless VPN systems offers a robust defence against brute force attacks. By eliminating passwords, these systems thwart credential stuffing attempts, enhancing overall security.

Conclusion

In the face of mounting VPN vulnerabilities, the imperative to transition to passwordless systems cannot be overstated. By embracing advanced authentication methods, organisations can fortify their defences against brute force attacks, safeguarding critical assets and data.

Read Also

Your 1st Step to #GoPasswordless

Credential stuffing Attacks on VPN: Serious Risk for Enterprise

Google 2FA Breach: Rethink Authentication Security

Posted on April 15, 2024April 18, 2024 by Srishti Chaubey

In today’s digital landscape, safeguarding our online presence is paramount. Two-factor authentication (2FA) has emerged as a crucial tool in this endeavour. Platforms like Google and Facebook offer 2FA to bolster account security. However, there have been multiple incidents revealing vulnerabilities in this system, prompting concerns among users.

The Case of the Bypassed 2FA

Recent reports unveiled breaches in Gmail and YouTube accounts despite 2FA activation. This revelation underscores a fundamental truth: security with passwords, along with 2FA or MFA is fallible. Hackers continuously adapt their tactics, exploiting weaknesses even in trusted systems like 2FA.

Understanding the Bypass

While the exact method remains undisclosed, hackers may employ various strategies to circumvent 2FA. According to Forbes, It’s probable that these users fell prey to what’s known as a session cookie hijack attack. Typically initiated through a phishing email, hackers direct victims to a counterfeit login page. Upon entering their credentials, users are prompted to complete a simulated 2FA challenge, which they unwittingly comply with.

The Role of Vigilance

Despite these challenges, I would personally suggest moving away from systems that solely rely on 2FA for authentication. But in the extreme case where abandoning 2FA is not the solution, users must adopt additional measures to enhance their security posture.

Secure Alternative to 2FA/MFA

As we have seen numerous instance of 2FA & MFA getting by passed, enterprises need better methods to secure access to their resources. PureAUTH Secure IAM platform provides Zero Trust -Passwordless access and protects enterprises from following type of attacks

Password Spraying & brute forcing attacks
Credential Phishing, Push fatigue and Adversary in the middle attacks
Public Key replacement attacks targeted at solutions using Public Key based authentication like FIDO keys
Social Engineering attacks to reset user credentials and reset or disable MFA/2FA
Abuse of shared credentials or leaked credentials and in general credential stuffing attacks

Elevating Security: Going Beyond 2FA

Security is an ongoing journey, requiring a multifaceted approach. While the challenges of bypassing 2FA are evident, there’s a growing trend towards passwordless authentication methods. Embracing secure identity and access management technologies, adopting a zero-trust architecture are some promising alternatives. By adapting these alternatives and staying vigilant, users can reinforce their online security against the ever-evolving tactics of cyber criminals.

PureID offers solutions that curate a robust defence against unauthorised access, heralding a more secure digital future for organizations. Embrace the resilience of passwordless authentication, reinforce your security posture with PureID, and navigate the cybersecurity landscape with renewed strength. The journey continues—Passwordless Authentication awaits.

Mother of all breaches: Which you could have avoided !!

Posted on January 25, 2024January 29, 2024 by Srishti Chaubey

Introduction

Don’t use passwords they said. It can be breached they said. Well, surprise, surprise, we didn’t pay much attention. Now, here we are, nervously checking our email IDs against the colossal 26 billion-record breach – the mother of all breaches!

Breach Unveiled: A Symphony of Chaos

So, there’s this massive breach, Mother of All Breaches (MOAB), a digital pandemonium that has exposed a whopping 26 billion records. It’s like a digital opera – records from MySpace to Adobe, starring Tencent, Weibo, Twitter, and LinkedIn. Your data just had its grand debut!

Mother of all breaches: 100M+ leaked records — Credit: https://www.extremetech.com/internet/repository-named-moab-mother-of-all-breaches-contains-12tb-of-stolen-credentials

The Dramatic Unfolding

Picture this: MOAB is a blockbuster compilation of data breaches, meticulously curated. It’s like a Hollywood blockbuster, but your credentials are the star, and not in a good way. Your once-secure passwords are now part of a hacker’s treasure trove. Slow clap for the password drama.

Passwords – The Ultimate Blunder

If Ellen DeGeneres hosted this show, she’d say, “You had one job – say no to passwords!” See the aftermath? Identity theft, phishing attacks, and a surge in password-stuffing shenanigans. All thanks to those outdated, reused, and easy-to-crack passwords.

Passwordless Paradise: Where Dreams Come True

Now, imagine an alternate universe where you actually listened – where passwordless authentication is the superhero. No MOAB nightmares, just smooth, secure logins without the hassle of juggling countless passwords. A utopia, right?

Mitigation Party: Reclaim Your Digital Kingdom

Inspect Your Vulnerability: Employ tools such as “Have I Been Pwned” and data leak checker . data leak checker. Use “Privacy Hawk” to trace your data’s path and request removal from unwanted websites. Move swiftly: Purge your digital footprint by eliminating your data from irrelevant websites.

Conclusion: Lessons Learned (Hopefully)

In an ideal world, you’d have embraced passwordless authentication, and we’d all be sipping digital margaritas by now. But, alas, here we are – dealing with the aftermath. Take this as a digital wake-up call: passwords belong to the past, let’s march into a passwordless future.

A Final Plea: Break Free from Passwords

Passwords are so yesterday!! The revolution is calling – will you answer? Join the passwordless parade; your digital sanity will thank you later. Use PureId, Stay Safe.

MongoDB Security Incident: Navigating the Aftermath

Posted on December 27, 2023January 2, 2024 by Srishti Chaubey

Breach Chronicles: MongoDB’s Unsettling Security Saga Unfolds

On December 13, 2023, MongoDB, a prominent US-based open-source NoSQL database management system provider, faced a substantial security incident. This breach of MongoDB Atlas, a fully-managed cloud database, unfolded as unauthorised access infiltrated corporate systems, laying bare customer account metadata and contact information. The assailants employed a cunning phishing attack, exploiting support service applications. The consequences were dire – a trove of sensitive data, including customer names, phone numbers, and account details, left exposed in the turbulent aftermath of this cyber storm.

Intrusion Footprints: A List of IPs Disclosed

In a proactive move, MongoDB disclosed a comprehensive list of external IP addresses on their alerts page. These IPs were strategically employed by the unauthorised third party. Organisations are strongly advised to meticulously scrutinise their networks, diligently searching for any ominous signs of suspicious activity intricately linked to these disclosed IPs. If you spot these IPs, you’ve got unwelcome guests. Remember it’s time to act, and act fast.

Phishing & Social Engineering – The Achilles’ Heel of Multi-Factor Authentication

MongoDB issues a resolute counsel to its user base, emphasising the critical need to bolster defences against the looming threats of social engineering and phishing. In response, the company advocates the implementation of multi-factor authentication (MFA), urging users to promptly update their MongoDB Atlas passwords as an additional layer of security.

Phishing attacks or social engineering can bypass and disable all types of MFA solutions, as seen time and again. The security incident under discussion started with phishing attacks. So implementing MFA will have zero security advantage but will only increase the cost, efforts and complexity of authentication.

GoPasswordless – The best protection for MongoDB

Going passwordless with PureAUTH will benefit in 2 broad ways to protect MongoDB or any other enterprise applications –

Secure Authentication – PureAUTH offers passwordless authentication which is secure from phishing & social engineering attacks.
Resilience in case of data breach – If data from the database like MongoDB is leaked due to mis-configurations, 0-day vulnerability or insider attacks etc, the adversary will not find any passwords, MFA seeds, swap-able public keys, or any usable data to carry out unauthorised access elsewhere.

Conclusion

Amidst the gloom, MongoDB presents a silver lining: Passwordless Authentication. It’s a call to transcend traditional password reliance for a more secure future. Fortify your defences with passwordless security. MongoDB users, the future beckons. Embrace the resilience of passwordless authentication, reinforce your security posture with PureID, and navigate the cyber security landscape with renewed strength. Passwords? Pfft, that’s so yesterday. The journey continues—Passwordless Authentication awaits.

Password Managers are the Hot Targets

Posted on January 26, 2023May 15, 2024 by Srishti Chaubey

Lastpass reported a security breach a month ago, which is the 8th security incident in the last 11 years. This incident was followed by a recent disclosure by a Google researcher. Many popular password managers like Dashlane, Bitwarden, and Safari can be phished.

There are many lessons that we all need to learn from these recurring incidents. This post is to uncover few points that we have seen have not been discussed by the info-sec community and the industry.

The Catch-22 – Phish or no Phish?

LastPass warned its users of an increased likelihood of Phishing attacks, Credential Stuffing, or other brute force attacks against online accounts associated with their LastPass vault.

Password Managers getting phished is an alarming situation

This statement goes against what all the password managers like LastPass claims – “use of password manager protects users from phishing attacks“.

In recent times there have been more incidents where password managers have been proved vulnerable to phishing attacks. You can find more details in this article Popular password managers auto-filled credentials on untrusted websites

The Impact

In their blog post, Lastpass reported that customer’s personal information like email, phone number, billing address, IP address have been compromised. That is not all, what LastPass has not talked about is the additional information they collect from their users using their mobile app.

The screenshots below show the permissions that Lastpass app takes on a user’s phone.

Permission take by LastPass app on an Android device

These permissions enable the application provider like LastPass (other password managers take similar types of permission on user’s device) to collect more information about the user than probably needed.

User Information collected by LastPass app

In case of a breach, like what happened with LastPass, the severity of the incident and privacy impatc will be more if any additional information collected from the user’s phone is also leaked.

The Passwords

Furthermore, LastPass has reported that customer’s vault containing clear text data, such as website url, and encrypted data of username and password were also obtained by the threat actors.

Lastpass emphasised on the use of master key, and how a threat actor can not decrypt the password vault even if they have the encrypted data, as the master key, which is a master password set by the user and is not stored on lastpass network.

While 1Password, a rival firm of Lastpass, claims through their blog that passwords of LastPass can be cracked in $100. They also talk about their superior method of using secret key and Password Authenticated Key Agreement systems, which makes 1Password’s systems next to impossible to crack.

With the device specific keys mentioned by 1Password, we feel syncing of the passwords across multiple devices becomes a risky affair. Since passwords need to be decrypted on another device and it needs the user chosen master password as well as the secret key from the earlier device. This problem cannot be solved without exposing the secret key or the user’s passwords (encrypted just with the user chosen master password), in transit.

Conclusion

After a series of events involving Password Management products, enterprise must seriously think about how safe their user’s data and passwords really are.

Not to forget, server doesn’t care if the password is coming from a password vault or from an adversary, the server will authenticate as long as it can match the string. So no matter, how and where you store passwords, as long as there as passwords, Enterprises are always at risk.

For a better security, Enterprise must plan to remove passwords from their applications, servers and #GoPasswordless

Dropbox Employees Phished, GitHub Repositories Exposed

Posted on December 20, 2022January 9, 2023 by Srishti Chaubey

Dropbox disclosed a security breach on October 14th 2022, resulted due to Phishing Emails. The email was impersonating a third-party service used by its employees. The attack resulted in credential leaks of employees, which enabled the threat actors access to their Github accounts. The hackers stole the content from 130 repositories, consisting information about Dropbox employees, users, and vendors.

The Incident

Phishing campaign initiated by adversary targeted multiple Dropbox Employees. The emails were crafted to mimic communication from CircleCI , which is a Continuous Integration and Delivery Platform. The phishing link redirected users to a landing page where they were asked to enter their GitHub username and password.

CircleCI login options — CICircle Login page

On a fake GitHub page, the employees were requested their Hardware Authentication Keys to provide an OTP for 2 step authentication. Adversaries used these credentials to access some less secure repositories of Dropbox, containing some API keys, and customised tools.

The adversaries are not traced yet, as they used VPNs to hide their tracks.

The Impact

Dropbox breach is a direct result of phishing, which was not contained by 2FA or MFA solutions the firm normally has in place.

Furthermore, the laws of the United States allow authorities to have access to user data under Patriot Act and such, hence the firm can also store user information. In the past, there have been multiple instances at Dropbox where user data was compromised. However, in this particular case, the company is claiming that no core app code was compromised. For more details, visit here.

Previous Incidents

Dropbox is not the sole victim of brand impersonation phishing attacks. Earlier, other organisations such as Sony Pictures, BenefitMall, and JP Morgan Chase have fallen victim to the same. Furthermore US Power grid and John Podesta are also highly notable examples of Phishing Attacks.

IBM’s 2021 Cost of a Data Breach Report found phishing to be the second most expensive attack vector to contend with, costing organisations an average of $4.65 million. Phishing using brand impersonation is becoming quite popular as well. LinkedIn is used for this purpose 52% of the time, while DHL, Google, Microsoft and FedEx also hold a considerable proportion of it. You can find more about the stats here.

Mitigation

Millions of phishing emails are sent daily. Many spam mails slips through spam filters and when that happens, you must be able to rely on your employees to stay vigilant and act responsibly. That is the reason why many companies opt for Employee Awareness Training Plans.

When training campaigns cannot keep pace with the new trends, and URL-checking anti-phishing measures is proving to be far more intrusive. The best option right now is to switch to Password-less Systems with Zero Knowledge Encryption.

With PureAuth Password-less authentication, you can effectively mitigate the risk of having your password compromised by phishing and a number of other methods.

Feel free to explore further blogs by us related to Phishing and Github . Stay safe. #Gopasswordless

Ever increasing Office365 Credential Phishing Campaigns

Posted on August 26, 2020January 9, 2023 by Atharva Chincholkar

In the advent of widespread electronic communication we relied on a password for verifying the identity of a person. As it turns out, passwords are not secure enough to trust most information with. Two Factor Authentication to the rescue! right? Well, it’s not so easy.

As systems have become secure, the attackers have shifted their focus on capitalizing on the weakest link – Humans. While 2FA has somewhat solved the problem of people using ‘password’ or ‘1234’ as their passwords, it cannot fix the inherent problem with humans. We make decisions based on our knowledge which is flawed most of times. Attackers take advantage of this to carry out social engineering attacks such as phishing.

Risk of Phishing attacks

Verizon Data Breach Investigation Report 2019 observed Phishing was used in 32% of confirmed breaches, and also 78% of cyber-espionage cases. Additionally, VDBIR also states that 29% breaches involved the use of stolen credentials which again is commonly accomplished through phishing attacks.

Due to the large number of successful phishing attacks, VDBIR mentions it as a #1 Threat Action.

Phishing attacks on Office 365

As such, there have been multiple attacks against Microsoft’s Office 365 platform which hosts productivity apps and documents, very important to businesses.

This phishing campaign uses Google’s Ads services to get around secure email gateways. Here you can see how blindly trusting anyone, even Google, can backfire.

Zoom Phishing mail
(source: Abnormal Security)

Office 365 Phishing page
(source: Abnormal Security)

With the popularity of Zoom skyrocketing, the attackers have been bandwagoning onto the new attack vector to target Office 365 logins. The trick they used is to rush the users by making them believe that their Zoom account might get suspended. Oh! The horror of not attending a meeting!

They have also used fake Teams alert, Relief payments, VPN configs to try to get your Office logins. Looks like they desperately want your office 365 credentials.

All the more reason to protect yourself against such attacks.

Effective Mitigation for Phishing: Go Passwordless

When all the training campaigns are failing & URL checking anti phishing measures are proving to be far more intrusive, you can effectively mitigate the risk of Phishing by going Passwordless.

With PureAuth passwordless authentication, you can effectively mitigate the risk of having your password stolen by phishing and a number of other methods.

Try out PureAUTH, which offers passwordless secure access to not just Office 365 but many other services like AWS, GCP, G-Suite, Microsoft Azure and others.